On this page
GCP Account Setup
A properly structured GCP organization prevents billing surprises, simplifies access management, and scales with your team. This page covers account creation, resource hierarchy, billing configuration, and essential tooling — the foundation every GCP engineer needs before deploying services.
Create a GCP Account
- Visit cloud.google.com/free and sign in with a Google account
- Complete identity verification (credit card required; free tier does not auto-charge)
- New accounts receive $300 credit valid for 90 days
- For teams, set up Cloud Identity or Google Workspace for centralized user management
Resource Hierarchy
Organization (optional, for enterprises)
└── Folder (optional, for departments)
└── Project (billing and API boundary)
└── Resources (VMs, buckets, databases)
| Concept | Purpose | When to Use |
|---|---|---|
| Organization | Root node for enterprise policy and billing | Company-wide GCP adoption |
| Folder | Group projects by team or environment | Multi-team orgs |
| Project | Billing unit; all resources belong to a project | Always — minimum isolation unit |
| Resource | Individual service instance | VMs, buckets, clusters |
Create a Project
gcloud projects create learning-gcp-dev \
--name="Learning GCP Dev"
gcloud config set project learning-gcp-dev
# Link billing account
gcloud billing accounts list
gcloud billing projects link learning-gcp-dev \
--billing-account=BILLING_ACCOUNT_ID
Multi-Environment Project Layout
| Project | Purpose | Example Name |
|---|---|---|
| Dev | Developer experimentation | myapp-dev |
| Staging | Pre-production testing | myapp-staging |
| Prod | Production workloads | myapp-prod |
| Shared | Artifact Registry, DNS, logging | myapp-shared |
Install and Configure gcloud CLI
# macOS
brew install google-cloud-sdk
# Linux
curl https://sdk.cloud.google.com | bash
gcloud init # Interactive setup
gcloud auth application-default login # For local SDK auth
gcloud config list # View current configuration
Configuration Profiles
Use named configurations for switching between projects:
gcloud config configurations create dev
gcloud config set project myapp-dev
gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a
gcloud config configurations create prod
gcloud config set project myapp-prod
gcloud config set compute/region us-east1
# Switch between environments
gcloud config configurations activate dev
Set defaults to reduce repetitive flags:
gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-a
Service Accounts for Automation
Use service accounts for CI/CD and server-to-server auth — never personal credentials in production:
gcloud iam service-accounts create ci-deployer \
--display-name="CI Deployer"
gcloud projects add-iam-policy-binding learning-gcp-dev \
--member="serviceAccount:[email protected]" \
--role="roles/compute.instanceAdmin.v1"
# Create and download key (use Workload Identity Federation when possible)
gcloud iam service-accounts keys create key.json \
--iam-account=ci-deployer@learning-gcp-dev.iam.gserviceaccount.com
Prefer Workload Identity Federation over long-lived keys for external CI systems (GitHub Actions, GitLab CI). Keys do not expire and are a common breach vector.
Billing Setup
# List billing accounts
gcloud billing accounts list
# Create a budget alert
gcloud billing budgets create \
--billing-account=BILLING_ACCOUNT_ID \
--display-name="Dev Monthly Budget" \
--budget-amount=200USD \
--threshold-rule=percent=80 \
--threshold-rule=percent=100
Enable billing export to BigQuery in Console → Billing → Billing export for detailed cost analysis.
Console vs. gcloud vs. Terraform
| Tool | Best For | Learning Curve |
|---|---|---|
| Cloud Console | Visual exploration, learning services | Low |
| gcloud CLI | Scripting, daily operations | Medium |
| Terraform / Pulumi | Version-controlled infrastructure | Medium-High |
| Config Connector | Kubernetes-native GCP resource management | High |
Start with the Console to learn, then adopt gcloud and infrastructure-as-code as workflows mature.
Real-World Scenario: Team Onboarding
A platform team onboards five developers:
- Create folder
engineeringunder the organization - Create projects
myapp-dev,myapp-staging,myapp-prodin the folder - Create Google Group
[email protected]withroles/editoron dev only - Grant
roles/vieweron prod; deploy via CI/CD service account withroles/run.admin - Set billing budgets per project with alerts at 80% and 100%
Common Mistakes
| Mistake | Impact | Fix |
|---|---|---|
| Single project for all environments | Blast radius, billing confusion | Separate projects per environment |
| Downloading SA keys to laptops | Credential leakage risk | Use Workload Identity Federation |
| No billing alerts | Surprise invoices | Set budgets on day one |
Using roles/owner for developers |
Over-privileged access | Grant service-specific roles |
Skipping gcloud init |
Wrong project/region defaults | Run init and verify with gcloud config list |
Best Practices
- Enable 2FA on all human Google accounts
- Use groups for IAM bindings, not individual email addresses
- Restrict project creation with organization policies in enterprise setups
- Export billing to BigQuery early for FinOps visibility
- Document project naming conventions in a shared runbook
- Never commit SA keys to version control — use Secret Manager or federation
Troubleshooting
“Project ID already exists”: Project IDs are globally unique. Choose a different ID:
gcloud projects create myapp-dev-2024 --name="My App Dev"
“Billing account not found”:
gcloud billing accounts list --format="table(name,displayName,open)"
# Ensure open=true and you have billing.admin role
“Application Default Credentials” errors in local SDK:
gcloud auth application-default login
gcloud auth application-default print-access-token # Verify token
Wrong project active:
gcloud config get-value project
gcloud config set project correct-project-id
Next: IAM and Security — roles, policies, and access control.